The Redis security team released patches for a critical vulnerability that allows attackers to remotely execute arbitrary code. The issue had been present in the code for about 13 years.
The vulnerability has been assigned the identifier CVE-2025-49844 (10 out of 10 on the CVSS scale) and is a use-after-free bug that can be exploited by authenticated attackers using a specially crafted Lua script (the feature is enabled by default).
Successful exploitation of the bug allows escaping the Lua sandbox, triggering a use-after-free, setting up a reverse shell for persistent access, and achieving remote code execution on the target Redis host.
After compromising a host, attackers can steal credentials, deploy malware, extract sensitive data from Redis, perform lateral movement by spreading the attack to other systems in the victim’s network, or use the stolen information to access cloud services.
“This gives an attacker full access to the host system, allowing them to exfiltrate, destroy, or encrypt sensitive data, hijack resources, and facilitate lateral movement in cloud environments,” explain researchers at Wiz, who demonstrated the vulnerability at the Pwn2Own Berlin competition in May 2025, dubbing it RediShell.
Although successful exploitation of the bug requires an attacker to obtain authenticated access to a Redis instance, Wiz analysts found about 330,000 accessible Redis instances on the internet, at least 60,000 of which do not require authentication.
Experts from Redis and Wiz have urged administrators to immediately install the patches released last week, prioritizing instances exposed to the internet.
To further protect Redis from remote attacks, administrators are advised to enable authentication, disable Lua scripting and other unnecessary features, run Redis under a non-root user account, enable logging and monitoring for Redis, restrict access to authorized networks only, and implement network-level access controls using firewalls and VPCs.
“RediShell (CVE-2025-49844) is a critical vulnerability affecting all versions of Redis, since the root cause lies in the underlying Lua interpreter. Given the hundreds of thousands of internet-exposed instances worldwide, this vulnerability poses a serious threat to organizations across all industries,” warn Wiz specialists in their report.